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ABSTRACT 

In recent years, intrusion is defined as detection of any security threats .The 
security of the information has become a very dangerous problem in the security of 
the data and network. Highly secret data of different arrangements are present via the 
network so in order to protect that data from unauthorized users, it is required a very 
strong security structure. An IDS (Intrusion detection system ) gathers and tests 
information from various areas within a network to determine the most likely security 
threats that from both outside and inside the system. IDS deals with huge data which 
include different redundant and irrelevant features that results in increasing time 
processing and decreasing detection rate. Therefore reduction of features plays an 
important role in IDS. In this paper two dimensionality reduction algorithms PCA and 
SVD were implemented on KDDCUP’99 dataset. Experimental results were obtained 
to get the best reduced feature set that recognized using SVM algorithm. Detection 
rate, error and accuracy are used to evaluate IDS Performance. 
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1. INTRODUCTION 

Many intrusion detection systems are tested and proposed in the last few years to overcome 
the internet that is vulnerable [1]. Depending on the results of’ American Computer 
Emergency Response Team /Coordination Center (CERT)” [2], in recent years networking 
showed great index increasing and have became the world war’s new weapon [3]. 
Furthermore the report said that “Chinese Military Hacker” had made a plan depending on the 
attacking” American Aircraft Carrier Battle Group “view to be a weak fighting range via 
internet. These information leads to a quick need that determine and prevent internet attacks 
[4]. Therefore we can say that an IDS is very important for new computer systems. There are 
two general types to computer IDS which are anomaly detection and misuse detection. The 
misuse detection is when a known attack signature is recognized an alarm is generated, while 
Anomaly detection determines an event that different from the regular attitude of the 
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observed system and therefore new attacks can be recognized [5]. The information that used 
is coming from “MIT’s Lincoln Lab”. It was organized for KDD (Knowledge Discovery and 
Data mining) race by DARPA and it is used a basic evaluations for ID program [6]. 
Experimental tests concludes that the algorithms of feature reduction can reduce the dataset 
size. The space and time difficulties of the most used classifiers are” exponential function of 
their input vector size” [7]. Further, the need for the patterns and numbers for training the 
classifiers increased exponentially with the volume of the features space. This restriction is 
called the “curse of dimensionality”. The feature space having decreased features that 
correlates to classifications and minimizes the costs of the pre-processing and decreasing the 
effects of the classification peaking event [8]. 

Today the computer and internet have become an important issues in our life. The internet 
openness and scalability have made it adaptable stage for an on-line services new generation, 
such as military, E-commerce, public web services, social network, online shopping, stock 
prices, etc. The publicity of these services caused in a large financial volume that deals with 
secret information being accessed through the internet. Internet has high various security 
subjects because of the huge use of network, the value and importance of this information and 
the correlated on-line services which have made the internet a council for a wide different 
types of attacks [9, 10]. 

2. NETWORK SECURITY 

It consists of the policies and conditions that are adopted by an administrator of the network 
to stop and detect misuse, unauthorized access, modification of a computer network and 
resources of the network is accessible [11]. 

2.1. Intrusion and Intruder 

Intrusion: It is the violation into a computer system or network and badly using them to 
perform the virulent activities. When an information system user takes an activity where the 
user is not legally allowed to use is called Intrusion [11], 

Intruder: Is the individual who attacks the computer system or network and badly using the 
computer system or network is called as an Intruder, two kinds of Intruders are existed called 
internal intruder and external intruder [11], Internal Intruder is a person who override his 
bounded authority to made an action. His action may or may not be hurts the system or the 
services provided by the system but it requests to earn extra capability to made an action 
without allowable authorization. [13, 14]. 

External Intrusion comes from outside of the system and harming computer system or 
network. External intruders do not have any legally accessing to the system they attack. An 
example of external intruders are hackers [12], 

2.2 Intrusion Detection System (IDS): It is the mechanism of observing and analyzing the 
events happened in a computer system to detect signals of security troubles, that helps in 
determining a set of strange actions that arranges the “integrity, confidentiality and 
availability of information resources”. ID is a complex issue because of the main thought of 
detection speed, detection accuracy, the dynamic circumference of the networks and the 
processing power for processing huge data from segmented network systems [15], 
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2.3 Detection Methodologies 

ID methodologies are categorized in two main classes: 

2.3.1 Signature-based Detection (SD): An SD is a string that relates to a known attack. 
Signature -based Detection is the process to match a pattern against recognized intrusions. 
Because of used information gathered by certain attacks and system intruders, Signature- 
based Detection is also known as “Knowledge-based Detection or Misuse Detection” [16, 
17]. 

2.3.2 Anomaly-based Detection(AD) : An AD is a variation from a network connections, 
known behavior that detect the expected behaviors deviated from monitored regular activities, 
host or users over an interval of time [18, 19]. 

3. PROPOSED SYSTEM 

The proposed system is consisting mainly of two major tasks which are: 

1. Feature Reduction. 

2. Attack Detection. 

The proposed intrusion detection system is illustrated in figure (1) which consisting of the 
following stages: 



Figure. 1 Proposed IDS. 




http://www.iaeme.com/IJCIET/index.asp I 470 


editor@iaeme.com 


Safana H. Abbas 


A. Preprocessing stage 

1. Labeling: The dataset should be labeled by using 10% of the corrected dataset of the 
whole feature space. Every record in the dataset contains 42 features (e.g., protocol type, 
service, and Flag) and is labeled as either normal or an attack with one specific attack type as 
shown in Figure (2), which is a sample from the dataset before normalization, first row as an 
example. It can be noticed that the feature (42) has the normal type of attack. 



Figure 2 First row (data sample) of 10% correction KDD cup dataset 

2. Normalization: It is used where the attribute data are scaled so as to fall within a small 
specified range such as (-1 to 1) or (0 to 1). Normalizing the input values for each attribute 
measured in the training samples will help in speeding up the classification stage. 

B. Dimensionality reduction stage 

Two different algorithms principle component analysis (PC A) and singular value 
decomposition (SVD) are used to reduce the 42 features as much as possible and applying 
these reduced features to the recognition algorithm later: 

1. Principal component analysis (PCA) 

PCA is a helpful statistical method. Its main goal is to decrease the data dimension while 
keeping the different present in the original dataset. 
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Algorithm (1) PC A 


Input: Proposed Trained dataset. 

Output: RCA set of most frequent and related features. 

Steps: 

1. acquire training KDD transactions. 

2. Represent each transaction (Ii) as a vector Cxi). 

3. The average transaction is computed 

4. The mean transaction is subtracted 

5. Estimate the covariance matrix, = A AT 

6. estimate eigenvectors! ui )of A AT: 

a. Consider AAT as a matrix. 

b. Estimate the eigenvectors! vi) of ( AAT) such that: 

ATAvi -uVi-> AAT A Vi = iAvi -> Cui = iui where i =Avi 

c. Estimate the best eigenvectors of AAT: i= Avi 

7. Save only K eigenvectors. 


2. Singular Value Decomposition (SVD) 


SVD permits an accurate representation of any matrix, and remove the less significant 
segments of that representation to deduce an approximate representation with any required 
dimensions number, removing the least important items gives a smaller representation that 
nearly approximates the original matrix 
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Algorithm 2: SVD 
Input: Generate Data matrix X 

Output: New Dimensions C 

1 . Repeat 

2. Applying SVD to the matrix X as X = fJ5V T 

X -► L5 an m X it matrix 

-m -+ no. of sessions (vectors) 

-n -* is no. of attributes) 

U f- XX T matrix of the eigenvectors 

S is matrix which is diagonal 
V <- is matrix the eigenvectors. 

3. Construct the covariance matrix from this decomposition by 


XX T XX T <- (f/5V T )(t/.W r ) T = (f/SV T )(VSfi r ) 


4. V -» an orthogonal matrix (l/ 7 ^ = /),AA T = U52U T 

5 . squa re roots of the e ige n val ue s of X X T are the singular val Lie s of A' 

6. until Represent every transaction Di over the time i nterval t as a vector jc(t)i 

Return U T X 


C. Attack detection stage 

Support vector machine (SVM) is the learning machine algorithm that can perform binary 
classification and regression estimation tasks. It is becoming increasingly popular as a new 
paradigm of classification and learning because of two important factors. First, unlike the 
other classification techniques, SVM minimizes the expected error rather than minimizing the 
classification error. Second, SVM employs the duality theory of mathematical programming 
to get a dual problem that admits efficient computational methods. Support Vector Machines 
(SVM), which is introduced by the linearly separable two class problems. The optimal 
separating hyper plane for such problems is considered. Deals with techniques to handle 
linearly inseparable two class problems. Discusses non-linear Support Vector Machines. 
Finally, states the universal approximation property of Support Vector Machines. 
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Algorithm (3): SVM 

Input: Train D training dataset, Test D testing dataset that has not been recognized 
Output: Test D testing dataset that has been recognized 

Steps: 

1. All points in training dataset are initialized as (Xi, Yj) where X is a data vector and Y is 
classes vector. 

2. Vector of weight (W) is initialized. 

3. All points (x, y) are distributed and the hyper plane separator is extracted. 

4. If the hyper plane obtain optimal division then use the hyper plane to classify Test D and go 
End else do the following steps 

5. Maximize the hyper plan 

6. Initialize Large multiplier ai vector a 

7. Use classification function 

8. Determine the support vectors (xi) with non-zero ai 

9. Use the hyper plan resulted after determining support vectors as the classifier model 
End 


4. CRITERIA FOR EVALUATION 

To evaluate the performance of the proposed model the Accuracy, detection rat, false alarm 
and confusion matrix are estimated, by calculating True Positive, True Negative, False 
Negative and False Positive, as illustrated below: 

• Accuracy = TP + TN / TP + TN + FP + FN [1] 

• Detection rate= TP/ TP + FP [2] 

• False alarms FP/ FP + TN [3] 

• A confusion matrix that determines the number of samples predicted incorrectly or correctly 
by a classification model: 


5. RESULTS 


SVM) is a classification algorithm that is used for the proposed intrusion detection system, 
with feature dimensionality reduction algorithms (PC A and SVD) depending on the KDD’99 
Cup datasets. 


In the training part, the KDD 99 train dataset have (sample records), R2L and U2R attack 
classes have few patterns in their class, and also DOS and probe class and all other from 
remaining classes. Training is performed on full featured dataset as well as feature reduced 
dataset. 
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5.1. Principal Component Analysis (PCA) 

The first algorithm that we used for the dimensionality reduction is the Principal Component 
Analysis (PCA). We used the PCA depending on different number of selected k (the reduced 
number of feature). By trial and error the values 7, 11 and 21 features from the original (42) 
feature were tested. Table (1) shows the evaluation results after applying the SVM 
classification algorithm on KDD Cup 99 testing datasets and PCA using (k=21). 


Table (1) Evaluation of the proposed IDS using SVM and PCA with K=21 on testing dataset 


Confusion matrix 

Detection 

Rate 

False 

Alarm 

Accuracy 

TP 

FP 

TN 

FN 

98.1681 

0.8319 

99.3548 

0.6452 

99.1681 

o.3833 

99.2063 





5.2. Singular- Value Decomposition (SVD) 

The SVD is used depending on different number of selected features which is called k-feature 
section (the reduced number of features), usually after mean centering (normalizing) the data 
matrix for each feature. That means that there is no majority to give us any clue about the k 
selection so we test the SVD using three deferent k values (k=21, 11, and 7) from the original 
(42) features. Table (2) shows the evaluation results after applying the SVM classification 
algorithm on KDD Cup 99 testing dataset with k=21. 


Table (2) Evaluation of the proposed IDS using SVM and SVD with K=21 on testing dataset 


Confusion matrix 

Detection 

rate 

False 

alarm 

Accuracy 

TP 

FP 

TN 

FN 

99.8841 

0.1159 

0 

100 

99.8841 

100 

99.9074 





6. DISCUSSION 

Table (3) shows the overall performances results of Support Vector Machine (SVM) on KDD 
Cup 99 depending on testing datasets by using two dimension reduction algorithms (PCA and 
SVD) when k=21 which gives the best accuracy than other K values. 
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Table (3) Accuracy of using SVM with SVD and PCA on testing dataset 


Dimension reduction 
Algorithms 

Features No. 

Average accuracy 

PCA 

21 

99.2063 

SVD 

21 

99.9074 


Figure (3) illustrate the performance results on the testing dataset using two 
dimensionality reduction algorithm that we used with support Vector Machine classification 
algorithm. 



Figure (3) Accuracy of using SVM with PCA and SVD on training data 

7. CONCLUSIONS 

The aim of this paper is to propose an IDS that use PCA and SVD algorithms to reduce the 42 
IDS features and implement the reduced set to be recognized later by SVM classification 
algorithm. 

By trial and error, the best k value is =21 which gives the highest accuracy when using 
PCA and SVD with SVM algorithm. It is clear from table (1), (2) and figure (3) that SVD 
algorithm gives better accuracy values than PCA algorithm. It is obvious from table(l),(2) 
and (6) that TP and TN values is much higher than FP and FN values which means that the 
proposed system gives good detection rates, finally the features for all traffic classes were 
successfully reduced with a feature selection algorithms PCA and SVD. This reduction is 
very important in minimizing the memory and CPU time. 
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